.

[Article]-Review: SANS SEC709 Developing Exploits

<<

don

User avatar

Administrator
Administrator

Posts: 4226

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Post Wed Jul 15, 2009 1:06 pm

[Article]-Review: SANS SEC709 Developing Exploits

Thanks to regular contributor, Zoher Anis AKA vijay2, for this review. Hope you find it helpful.

Permanent link: [Article]-Review: SANS SEC709 Developing Exploits


Image


Review by Zoher Anis, TerpSys

I had the opportunity to attend SANS 2009 in Orlando, once again as a facilitator. This time it was to tackle the toughest course SANS has to offer, SANS SEC709 Developing Exploits for Penetration Testers and Security Researchers, currently their only 700-level course. As described on SANS web site:

"In this course, we bridge the gaps and take a step-by-step look at Linux and Windows operating systems and how exploitation truly works under the hood. This four-day course rapidly progresses through exploitation techniques used to attack stacks, heaps, and other memory segments on Linux and Windows. This is a fast-paced course that provides you with the skills to hit the ground running with vulnerability research."

I would like to begin by saying that the above description is very accurate and should be taken word-for-word. It is a very tough course and very fast-paced. It does require you to know intermediate level x86 assembly programming, basic level C and python to get the most out of the course. Here’s a quick day-by-day account of my experiences.



Let us know what you think and also recommend other courses, SANS or otherwise, you'd like for us to review.

Don
CISSP, MCSE, CSTA, Security+ SME
<<

venom77

User avatar

Hero Member
Hero Member

Posts: 1905

Joined: Mon Dec 11, 2006 3:23 pm

Post Wed Jul 15, 2009 1:15 pm

Re: [Article]-Review: SANS SEC709 Developing Exploits

Nice write-up, Zoher. Thanks for the review! Sounds like it was a pretty intense training course. Will have to look into this one sometime down the road.
<<

KrisTeason

User avatar

Hero Member
Hero Member

Posts: 515

Joined: Sat Sep 08, 2007 7:48 pm

Location: /dev/null

Post Wed Jul 15, 2009 1:38 pm

Re: [Article]-Review: SANS SEC709 Developing Exploits

Sounds like a positive write up. Just by the description of the course I figured it'd be some advanced stuff. Considering this guys an OSCP, I'd love to hear a review of the Cracking the Perimeter course offered by the Offensive Security guys. Maybe that'll be something I'm looking forward to. 8) - It sounds like this training would've been some good preparation.
eCPPT (Silver/Gold), eWPT, GSEC, GISP, GCIH, OSCP, OSWP
<<

mjw

Newbie
Newbie

Posts: 2

Joined: Thu May 07, 2009 2:14 pm

Post Wed Jul 15, 2009 3:15 pm

Re: [Article]-Review: SANS SEC709 Developing Exploits

Next up was Windows heap exploitation. We looked at methods to abuse the Process Environment Block (PEB) and other constructs to gain control of a process. We moved from there into browser-based exploitation and how to increase the chances of exploitation through heap spraying. Day 3 ended with a look at Windows shellcode and how it differs from Linux.


How do you teach windows heap exploitation in less than a day?
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Wed Jul 15, 2009 3:30 pm

Re: [Article]-Review: SANS SEC709 Developing Exploits

He has a point there, is this course a little too fast paced? 
~~~~~~~~~~~~~~
Ketchup
<<

UNIX

User avatar

Hero Member
Hero Member

Posts: 1244

Joined: Mon Apr 28, 2008 9:20 am

Post Thu Jul 16, 2009 12:13 am

Re: [Article]-Review: SANS SEC709 Developing Exploits

Very nice write-up, thanks. :)

The first thing which came in my mind was that 4 days are realy short for anything more than an overview/ introduction. Although I am sure that the author of the course has very much knowledge as otherwise he couldn't do such a course, but it is in my opinion not possible to teach someone seriously exploit development in that short amount of time.
However, it should be enough time to teach the concepts behind it, show some examples and get the message through the audience for further research.

Wish the SANS courses where not so expensive. \:
<<

blueshift23

Newbie
Newbie

Posts: 3

Joined: Mon Aug 04, 2008 1:42 pm

Post Thu Jul 16, 2009 2:10 am

Re: [Article]-Review: SANS SEC709 Developing Exploits

Thanks for the write-up Zoher... :)

This is Steve Sims, author of the course... Thanks to Google for alerting me about the posting! I'm happy to say that the course has now moved to a five-day version to allow for more time on the material and to include additional modules on fuzzing.

Your statement is correct, "How can you teach Windows Heap Overflows in less than one day?" The fact is simply that each vulnerability is different. You could spend several days alone on heap overflows relative to a specific OS. Unfortunately, to spend that many days on one niche topic does not serve anyone very well. The focus of the course is to go deep inside of various exploitation techniques to get you thinking outside of the box. Consider it as a bridge that the course will help you cross. You must have a passion for exploit development and leverage accordingly.

Stack overflows, both on Windows and Linux, are quite simple. There are a standard set of techniques that you will often find on Milw0rm. <-- (An awesome resource!) SEC709 gets you thinking of ways to handle the unexpected. When performing exploit development on a day-to-day basis, you find yourself with constant obstacles. SEC709 focuses on how to defeat modern OS controls such as stack canaries, Data Execution Prevention (DEP), ASLR, etc...

As for more advanced techniques, you will be forced to utilize your knowledge gained to help you think in more abstract terms. We cover several advanced techniques that should be included as part of your custom pen-testing arsenal. It is up to you to utilize your skills and think creatively. Pounding several days of advanced heap exploitation into someone's head will only leave that person mentally exhausted by day two and with a small skill set upon completion. Heap exploitation is a necessary rite of passage and we cover techniques accordingly.

The goal of the course is to get you beyond using pre-compiled pen-testing tools such as Metasploit, Core, Saint, Immunity, and to get you writing your own exploits. Of course these tools are awesome, but if you have custom applications, 3rd party developed tools, or are considering using commercial products in your environment, you need to be prepared to properly assess them. Unless you're using a public app and someone else discovered every vulnerability in the application, how can you comfortably go to production? I just couldn't sleep at night! :) lol

Please feel free to contact me at stephen@deadlisting.com if you have any questions. I'm happy to provide you with more details on the course format, topics covered, preparation materials, or any other questions you may have.

Thanks again to Don for providing such a great resource! Hope to see you all soon. I'll be around DEFCON. Buying me a beer may get you a course discount!

Regards....

Steve
<<

vijay2

Full Member
Full Member

Posts: 220

Joined: Wed Mar 28, 2007 6:22 am

Post Thu Jul 16, 2009 6:59 am

Re: [Article]-Review: SANS SEC709 Developing Exploits

Thanks Don for posting this and thanks Steve for beating me on the reply :) .. I bet Google works better on the west coast :). close to source ?  ???

Well I just wanted to mention that I took the course back in April at SANS 2009 in Orlando, and since then the course is moved to 5 days starting SANS Fire.

The new Day 1 is all about Fuzzing written by Josh Wright.. So I don't think adding a day has slowed the pace down rather added some great stuff...

Hope this helps.. Steve maybe we get can beer when you are in the area :)

VJ
Last edited by vijay2 on Thu Jul 16, 2009 7:02 am, edited 1 time in total.
GPEN GCFA GCIH CISSP CISA GSEC OSCP C|EH Security+
<<

don

User avatar

Administrator
Administrator

Posts: 4226

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Post Tue Aug 18, 2009 2:58 pm

Re: [Article]-Review: SANS SEC709 Developing Exploits

Submitted to digg... do yo thang!

http://digg.com/programming/Review_SANS ... g_Exploits

Don
CISSP, MCSE, CSTA, Security+ SME
<<

Jhaddix

User avatar

Sr. Member
Sr. Member

Posts: 317

Joined: Wed Oct 29, 2008 10:25 pm

Post Wed Aug 19, 2009 12:07 am

Re: [Article]-Review: SANS SEC709 Developing Exploits

dugg, and i will be leading the facilitators team and facilitating this class for SANS Network Security San Diego if any of you will be there.

:P

ill need someone to keep me sane through days of exploitation.

Return to /root

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software